ci: upgrade workflows from bind9-sdk patterns and add LICENSE.md

CLA workflow:
- Pin ubuntu-24.04, add timeout, injection safety comment
- Use dedicated cla-signatures branch instead of development
- Versioned signature path (signatures/version1/cla.json)
- Add renovate[bot] to allowlist, lock PRs after merge

CI workflow:
- Pin ubuntu-24.04, RUST_TOOLCHAIN env var, RUSTFLAGS=-Dwarnings
- Add concurrency group (cancel in-progress on same ref)
- Add permissions: contents: read (least privilege)
- Add job dependencies (clippy/test/msrv need fmt first)
- Add timeouts to all jobs
- Add eval feature test job
- Add MSRV check, dependency review, REUSE lint jobs

LICENSE.md:
- Root license file linking to LICENSES/ for GitHub badge display

Author: Sephyi

.github/workflows/ci.yml

@@ -10,59 +10,107 @@ on:
   pull_request:
     branches: [development, main]
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CARGO_TERM_COLOR: always
+  RUSTFLAGS: -Dwarnings
+  RUST_TOOLCHAIN: "1.94.0"
 
 jobs:
-  check:
-    name: Check (${{ matrix.rust }})
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        rust: [stable, "1.94"]
+  fmt:
+    name: Format
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: ${{ matrix.rust }}
-      - uses: Swatinem/rust-cache@v2
-      - run: cargo check --all-targets
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
+          components: rustfmt
+      - run: cargo fmt --check
 
   clippy:
     name: Clippy
-    runs-on: ubuntu-latest
+    needs: fmt
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@master
         with:
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
           components: clippy
       - uses: Swatinem/rust-cache@v2
       - run: cargo clippy --all-targets -- -D warnings
 
   test:
     name: Test
-    runs-on: ubuntu-latest
+    needs: fmt
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
       - uses: Swatinem/rust-cache@v2
       - run: cargo test --all-targets
 
-  fmt:
-    name: Format
-    runs-on: ubuntu-latest
+  test-eval:
+    name: Test (eval)
+    needs: fmt
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@master
         with:
-          components: rustfmt
-      - run: cargo fmt --check
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo test --all-targets --features eval
+
+  msrv:
+    name: MSRV Check
+    needs: fmt
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ env.RUST_TOOLCHAIN }}
+      - uses: Swatinem/rust-cache@v2
+      - run: cargo check --all-targets
+
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/dependency-review-action@v4
 
   audit:
     name: Security Audit
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
       - uses: rustsec/audit-check@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  reuse:
+    name: REUSE Lint
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+      - uses: fsfe/reuse-action@v4

.github/workflows/cla.yml

@@ -2,41 +2,46 @@
 #
 # SPDX-License-Identifier: PolyForm-Noncommercial-1.0.0
 
-name: CLA Assistant
+name: CLA
 
 on:
   issue_comment:
     types: [created]
   pull_request_target:
     types: [opened, closed, synchronize]
 
+# Note: github.event.comment.body in the step-level `if:` is evaluated by
+# the GHA runner (not shell-interpolated) — no injection risk.
+
 permissions:
   actions: write
   contents: write
   pull-requests: write
   statuses: write
 
 jobs:
-  cla:
-    if: |
-      (github.event_name == 'pull_request_target')
-      || (github.event_name == 'issue_comment' && github.event.comment.body == 'recheck')
-      || (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, 'I have read the CLA'))
-    runs-on: ubuntu-latest
+  cla-check:
+    name: CLA Signature
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
       - uses: contributor-assistant/github-action@v2.6.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: >-
+          github.event_name == 'pull_request_target'
+          || github.event.comment.body == 'recheck'
+          || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA'
         with:
-          path-to-document: "CLA.md"
-          path-to-signatures: "signatures/cla.json"
-          branch: "development"
-          allowlist: "Sephyi,dependabot[bot],github-actions[bot]"
+          path-to-document: "https://github.com/${{ github.repository }}/blob/development/CLA.md"
+          path-to-signatures: "signatures/version1/cla.json"
+          branch: "cla-signatures"
+          allowlist: "Sephyi,dependabot[bot],renovate[bot],github-actions[bot]"
+          lock-pullrequest-aftermerge: true
           custom-notsigned-prcomment: >-
             Thank you for your contribution! Before we can merge this PR,
-            you need to sign the Contributor License Agreement (CLA.md).
+            you need to sign the [Contributor License Agreement](CLA.md).
             To sign, please reply with a comment containing exactly:
             `I have read the CLA Document and I hereby sign the CLA.`
             You only need to sign once.
           custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA."
-          lock-pullrequest-aftermerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

LICENSE.md

@@ -0,0 +1,13 @@
+<!--
+SPDX-FileCopyrightText: 2026 Sephyi <me@sephy.io>
+
+SPDX-License-Identifier: PolyForm-Noncommercial-1.0.0
+-->
+
+# License
+
+CommitBee is licensed under [PolyForm Noncommercial 1.0.0](LICENSES/PolyForm-Noncommercial-1.0.0.txt).
+
+You may use, modify, and distribute this software for any noncommercial purpose. Commercial use requires a separate license — contact [me@sephy.io](mailto:me@sephy.io).
+
+This project is [REUSE](https://reuse.software/) compliant. Every source file carries SPDX headers identifying its copyright and license.